Common operational misconceptions

Steven Bellovin smb at
Tue Feb 21 03:44:36 UTC 2012

On Feb 20, 2012, at 10:27 PM, Masataka Ohta wrote:

> Steven Bellovin wrote:
>>> Timer timeouts do not affect TCP MSS.
>> RFC 2923:
>>       TCP should notice that the connection is timing out.  After
>>       several timeouts, TCP should attempt to send smaller packets,
>>       perhaps turning off the DF flag for each packet.  If this
>>       succeeds, it should continue to turn off PMTUD for the connection
>>       for some reasonable period of time, after which it should probe
>>       again to try to determine if the path has changed.
> So?
>> It's Informational, not standards track, but the problem
>> -- and the fix -- have been known for a very long time.
> I'm not sure what, do you think, is the problem, because the
> paragraph of RFC2923 you quote has nothing to do with TCP
> MSS.

Sure it does.  That's in 2.1; the start of it discusses PMTUD
failing for various reasons including firewalls.  
> The relevant section of the RFC (relevant to MSS) should be:
>   The MSS should be determined based on the MTUs of the interfaces on
>   the system, as outlined in [RFC1122] and [RFC1191].
> which means MSS is constant.

The text I quoted says, in so many words, "send smaller packets".
I don't know how it's possible to be more explicit than that.
> Note also that the next paragraph (next to the paragraph you
> quote) of the RFC eventually says to use PMTU of 1280B for
> IPv6 if there are black holes. It is not a very good thing
> to do especially for IP over IP tunnels, because 1280B
> packets are always fragmented if they are carried over a
> tunnel with MTU of 1280B.

Please cite in context.  The text I quoted says that one option
is to try turning off DF; the next paragraph notes that you can't
do that on v6.  It also doesn't say to to use PMTU of 1280, it
says that that's a good fallback, and notes that v6 support requires
that.  Although it doesn't say so, I'll note that IP in IP makes the
outer IP effectively a link layer for the inner IP; as such, it has
to preserve all of the relevant properties including a link MTU of
1280.  If that doesn't work -- though it most likely will, since
the most common hardware MTU is from the ancient 1500 byte Ethernet
size -- the outer IP endpoint has to deal with it appropriately,
such as by intentional fragmentation. just as is done for IP over
ATM with its 53-byte cell size (RFC 2225).
> As implosion cause by multicast PMTUD of IPv6 requires ICMP
> PTB black holed, you can expect a lot of black holes.
> 					Masataka Ohta

		--Steve Bellovin,

More information about the NANOG mailing list